dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1f

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 18:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Size

351KB
MD5

1a8b74bb1c5ec082348e328af1b62770
SHA1

f98c770aff2f04871caea41b2586ed20e22c77a5
SHA256

dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1f
SHA512

bbe5aef799a5ecafdad06a8adf96b00bbef512966cb11b907141cabb61efdb1cfee8552610653b9723de252ea6475404814fd9ad123189639858f6a8d33d2937
SSDEEP

6144:V/OZplOYZplx/OZpl7/OZplx/OZplQ/OZplU:V/MOqx/M7/Mx/MQ/MU

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
1744	Tiwi.exe
2844	IExplorer.exe
2332	Tiwi.exe
3036	Tiwi.exe
956	Tiwi.exe
2948	IExplorer.exe
544	IExplorer.exe
2600	IExplorer.exe
2280	winlogon.exe
2592	winlogon.exe
2596	winlogon.exe
1964	imoet.exe
1956	imoet.exe
1604	imoet.exe
1608	cute.exe
2636	Tiwi.exe
2840	cute.exe
2536	Tiwi.exe
1724	IExplorer.exe
2504	cute.exe
2584	Tiwi.exe
936	winlogon.exe
1300	IExplorer.exe
2572	IExplorer.exe
1644	imoet.exe
2128	winlogon.exe
2496	cute.exe
1624	winlogon.exe
1952	winlogon.exe
1296	imoet.exe
1340	imoet.exe
2188	imoet.exe
1272	cute.exe
1052	cute.exe
748	cute.exe

Loads dropped DLL 53 IoCs

pid	Process
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
1744	Tiwi.exe
1744	Tiwi.exe
2844	IExplorer.exe
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
2844	IExplorer.exe
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
2844	IExplorer.exe
2844	IExplorer.exe
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
1744	Tiwi.exe
1744	Tiwi.exe
1744	Tiwi.exe
1744	Tiwi.exe
2844	IExplorer.exe
2844	IExplorer.exe
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
2844	IExplorer.exe
2844	IExplorer.exe
1744	Tiwi.exe
1744	Tiwi.exe
2592	winlogon.exe
2592	winlogon.exe
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
1956	imoet.exe
2592	winlogon.exe
1956	imoet.exe
1608	cute.exe
1608	cute.exe
2592	winlogon.exe
2592	winlogon.exe
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
2592	winlogon.exe
2592	winlogon.exe
1956	imoet.exe
1956	imoet.exe
1608	cute.exe
1608	cute.exe
1608	cute.exe
1608	cute.exe
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
1956	imoet.exe
1608	cute.exe
1956	imoet.exe
1956	imoet.exe
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened (read-only)	\??\M:	imoet.exe
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\S:	winlogon.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\H:	cute.exe
File opened (read-only)	\??\R:	IExplorer.exe
File opened (read-only)	\??\G:	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened (read-only)	\??\R:	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened (read-only)	\??\Z:	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened (read-only)	\??\E:	imoet.exe
File opened (read-only)	\??\J:	imoet.exe
File opened (read-only)	\??\R:	cute.exe
File opened (read-only)	\??\N:	imoet.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\I:	Tiwi.exe
File opened (read-only)	\??\O:	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened (read-only)	\??\O:	imoet.exe
File opened (read-only)	\??\Z:	cute.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\T:	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\G:	Tiwi.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\T:	Tiwi.exe
File opened (read-only)	\??\Y:	Tiwi.exe
File opened (read-only)	\??\R:	winlogon.exe
File opened (read-only)	\??\T:	winlogon.exe
File opened (read-only)	\??\J:	cute.exe
File opened (read-only)	\??\S:	cute.exe
File opened (read-only)	\??\L:	Tiwi.exe
File opened (read-only)	\??\H:	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\V:	cute.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\R:	Tiwi.exe
File opened (read-only)	\??\V:	Tiwi.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\B:	imoet.exe
File opened (read-only)	\??\K:	imoet.exe
File opened (read-only)	\??\V:	IExplorer.exe
File opened (read-only)	\??\K:	Tiwi.exe
File opened (read-only)	\??\W:	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened (read-only)	\??\X:	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\K:	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened (read-only)	\??\O:	winlogon.exe
File opened (read-only)	\??\H:	imoet.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\B:	IExplorer.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\Q:	Tiwi.exe
File opened (read-only)	\??\Q:	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\I:	winlogon.exe
File opened (read-only)	\??\T:	imoet.exe
File opened (read-only)	\??\O:	cute.exe
File opened (read-only)	\??\Z:	Tiwi.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	Tiwi.exe
File opened for modification	C:\autorun.inf	Tiwi.exe
File created	F:\autorun.inf	Tiwi.exe
File opened for modification	F:\autorun.inf	Tiwi.exe
File created	C:\autorun.inf	IExplorer.exe
File opened for modification	C:\autorun.inf	IExplorer.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\tiwi.scr	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\tiwi.exe	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\tiwi.exe	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\s1159 = "Tiwi"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\s2359 = "Tiwi"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Mouse\	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Mouse\SwapMouseButtons = "1"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Mouse\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Mouse\	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Mouse\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Mouse\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\	cute.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
1744	Tiwi.exe
1956	imoet.exe
2592	winlogon.exe
2844	IExplorer.exe
1608	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
1744	Tiwi.exe
2844	IExplorer.exe
2332	Tiwi.exe
956	Tiwi.exe
3036	Tiwi.exe
544	IExplorer.exe
2600	IExplorer.exe
2948	IExplorer.exe
2592	winlogon.exe
2596	winlogon.exe
1956	imoet.exe
2280	winlogon.exe
1964	imoet.exe
1608	cute.exe
2636	Tiwi.exe
1604	imoet.exe
2840	cute.exe
1724	IExplorer.exe
2536	Tiwi.exe
2584	Tiwi.exe
936	winlogon.exe
2504	cute.exe
1644	imoet.exe
1300	IExplorer.exe
2572	IExplorer.exe
2496	cute.exe
1952	winlogon.exe
2128	winlogon.exe
1624	winlogon.exe
1296	imoet.exe
1340	imoet.exe
2188	imoet.exe
1052	cute.exe
1272	cute.exe
748	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1744	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	30
PID 3064 wrote to memory of 1744	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	30
PID 3064 wrote to memory of 1744	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	30
PID 3064 wrote to memory of 1744	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	30
PID 3064 wrote to memory of 2844	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	31
PID 3064 wrote to memory of 2844	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	31
PID 3064 wrote to memory of 2844	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	31
PID 3064 wrote to memory of 2844	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	31
PID 1744 wrote to memory of 2332	1744	Tiwi.exe	32
PID 1744 wrote to memory of 2332	1744	Tiwi.exe	32
PID 1744 wrote to memory of 2332	1744	Tiwi.exe	32
PID 1744 wrote to memory of 2332	1744	Tiwi.exe	32
PID 3064 wrote to memory of 3036	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	33
PID 3064 wrote to memory of 3036	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	33
PID 3064 wrote to memory of 3036	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	33
PID 3064 wrote to memory of 3036	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	33
PID 2844 wrote to memory of 956	2844	IExplorer.exe	34
PID 2844 wrote to memory of 956	2844	IExplorer.exe	34
PID 2844 wrote to memory of 956	2844	IExplorer.exe	34
PID 2844 wrote to memory of 956	2844	IExplorer.exe	34
PID 1744 wrote to memory of 2948	1744	Tiwi.exe	35
PID 1744 wrote to memory of 2948	1744	Tiwi.exe	35
PID 1744 wrote to memory of 2948	1744	Tiwi.exe	35
PID 1744 wrote to memory of 2948	1744	Tiwi.exe	35
PID 2844 wrote to memory of 544	2844	IExplorer.exe	36
PID 2844 wrote to memory of 544	2844	IExplorer.exe	36
PID 2844 wrote to memory of 544	2844	IExplorer.exe	36
PID 2844 wrote to memory of 544	2844	IExplorer.exe	36
PID 3064 wrote to memory of 2600	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	37
PID 3064 wrote to memory of 2600	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	37
PID 3064 wrote to memory of 2600	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	37
PID 3064 wrote to memory of 2600	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	37
PID 2844 wrote to memory of 2592	2844	IExplorer.exe	38
PID 2844 wrote to memory of 2592	2844	IExplorer.exe	38
PID 2844 wrote to memory of 2592	2844	IExplorer.exe	38
PID 2844 wrote to memory of 2592	2844	IExplorer.exe	38
PID 3064 wrote to memory of 2280	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	39
PID 3064 wrote to memory of 2280	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	39
PID 3064 wrote to memory of 2280	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	39
PID 3064 wrote to memory of 2280	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	39
PID 1744 wrote to memory of 2596	1744	Tiwi.exe	40
PID 1744 wrote to memory of 2596	1744	Tiwi.exe	40
PID 1744 wrote to memory of 2596	1744	Tiwi.exe	40
PID 1744 wrote to memory of 2596	1744	Tiwi.exe	40
PID 1744 wrote to memory of 1964	1744	Tiwi.exe	41
PID 1744 wrote to memory of 1964	1744	Tiwi.exe	41
PID 1744 wrote to memory of 1964	1744	Tiwi.exe	41
PID 1744 wrote to memory of 1964	1744	Tiwi.exe	41
PID 2844 wrote to memory of 1956	2844	IExplorer.exe	42
PID 2844 wrote to memory of 1956	2844	IExplorer.exe	42
PID 2844 wrote to memory of 1956	2844	IExplorer.exe	42
PID 2844 wrote to memory of 1956	2844	IExplorer.exe	42
PID 3064 wrote to memory of 1604	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	43
PID 3064 wrote to memory of 1604	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	43
PID 3064 wrote to memory of 1604	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	43
PID 3064 wrote to memory of 1604	3064	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe	43
PID 2844 wrote to memory of 1608	2844	IExplorer.exe	44
PID 2844 wrote to memory of 1608	2844	IExplorer.exe	44
PID 2844 wrote to memory of 1608	2844	IExplorer.exe	44
PID 2844 wrote to memory of 1608	2844	IExplorer.exe	44
PID 1744 wrote to memory of 2840	1744	Tiwi.exe	45
PID 1744 wrote to memory of 2840	1744	Tiwi.exe	45
PID 1744 wrote to memory of 2840	1744	Tiwi.exe	45
PID 1744 wrote to memory of 2840	1744	Tiwi.exe	45

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe

C:\Users\Admin\AppData\Local\Temp\dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe
"C:\Users\Admin\AppData\Local\Temp\dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1fN.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3064
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1744
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2332
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2948
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2596
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1964
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2840
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2844
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:956
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:544
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2592
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2636
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1724
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:936
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1644
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2496
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1956
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2536
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1300
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1624
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2188
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1052
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1608
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2584
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2572
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1952
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1296
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1272
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3036
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2600
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2280
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1604
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2504
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2128
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1340
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
26d8cbec204da34b62a17f9c8bee0ee1

SHA1
93bb6aa5a212a755816208e8d9631292816554c2

SHA256
448af8308d91568c90bf4052dae35e2b1d34dd307b9ad8f54ed42217794ab52d

SHA512
4f04bbafaa749cfa54f06b66a5b609e2ebaa48ae438de4f0111885f3e868567ebea75989b398c35815d65c6656bcca1338ef7209da0ae7ea52c8d62d58a16feb

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
351KB

MD5
19a86f30870e75a1b60ac46640d36db4

SHA1
deec3d2c2cc2337c73731beebce7199dad768c91

SHA256
b5295b70ed3e2f15d5063e1b7a8e25dea686264eb82e21b7aebcbbfdb1c4fb62

SHA512
ca2c97b9968db1b8c8c07e76e170de2ceca05d4d1fb42ef8b8a400fe5a3b3f77fb3ac15a75b4cf006f7abb00b7512c1faaefb9f00c436d6159e3a5f38d20daf2

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
351KB

MD5
badcc4e419535b626aebbfd50ec35207

SHA1
8c671e2ef7bf8d0a1f48e55aab5a5e9a7c64f266

SHA256
d4a83f309b4d1391c05e296ac8b0ad2bb4aeb854c148d0c4e432531245266e8a

SHA512
ac3c096770a3824689dce63f39a2fd99f6322c25f82fac247d764b17321134b94bccc2af00633b14238016f8b018ca313737c4196f4a530cbf02e7ce8b66e9c7

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
351KB

MD5
c773b53c2444e19c69dc77dc90c41449

SHA1
6564e2a2f84cbcbc3d66308937cee617de206478

SHA256
7497e0f47caca10ed40293e320b03cb5055690d484ae873467a7bd6a81beb41f

SHA512
9de506a6952f56f2ad124d4891039a0b6e54bdaa0e4af3a51afc981c2db0c3381cc8d6bfffc09ede5793c1a5b16238829bac569152e3af8946516715a5a79009

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
351KB

MD5
edb5c7a5b89edf64f1abe2999f6b2458

SHA1
258e8739f05396426dc4e861a779da7d45225e8d

SHA256
3d2aeb2ee3f5edfd2abb80d2edf912d367a537edb5a9e657e6a471654a7ac457

SHA512
f7084337fa2396e4b0f29f70d21f37984e09fb79b39d7431d2339c9f60580f7eefb70812fdcd887d9e6cb54e671868d674c4496102b5c51f550fa255ff8f7296

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
e1d8afcb04df9e64a6d79510b9958eb8

SHA1
246615e5432f54cdc009206a4f7fb667764cb43a

SHA256
3c4d3e09ec486a4740c0de34d5609d6014821937e9c548fbec611fb1e6cc8029

SHA512
9ca9b37ef61503cf270422d1a0d14d87359c357ca1ae8c199541ee7ae720674c03d13bcfd97a71586110298a384c3f57cd22f25bc4664c103cfb8d12db9569a8

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
78c3728c7f3e189113a4fadef1d18a5c

SHA1
deab187618859f1b386066e989808279b7ef3197

SHA256
a2c1a243d788aa379c76435bd4289b0c0357d3b702b675bbe7246875d3918b61

SHA512
9e568300ef337a3606983a863a3524a37a1018bb50b0b4b2a9b18cc1a5e1f2bf13b62fa2f9ecfed8e425927de48f9966281e6d2ca9cb6668420fcf1d58d16ffd

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

Filesize
351KB

MD5
51e131bed09d8d333347d305397fec7a

SHA1
239490a5ddf9b3ad0b0b3f7f1737228915723ed4

SHA256
03bb51a8a7b099fb2a533b0f64013ebab32bda2c04aab89078f607ede4a84cb7

SHA512
d7be6c7d9e23ffd2d0aec7562ac1890022c7e979a7a86c00454fb62c6d139b18f20873095e12bd68a784bf0015bad59d5ed9980fff1770471b0cf38801b0eca3

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

Filesize
351KB

MD5
9e6c0ffa39654b018b4603f08162f1cd

SHA1
0dbe941c972f964fdcd0deb4e34fe8ef03cb551a

SHA256
3bb634d474c4c217d2aea9e4e398dd2bf6a53e1311aee9f016b1b0bea66221cb

SHA512
5da71f7876718d45e2ba3d53dd88bbf1f78354652089e0ea53a44495d4a5ceec49c576a978e65c6b5444122517b692e7f9d82f71d9e3d8951d3aa3becdc5f8ea

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
351KB

MD5
8f05cfc0de86493ca9e195aa51095477

SHA1
c80894c560b34c0def1457045336bc3922ecbbe6

SHA256
f4a902c9c47b3207d2c8c45953b7c15a06219b1e48ca503c8193281944a420a3

SHA512
ef386fce150fd257751965b553f96d8bfa2a530d73f8c3477ea747165ad8b1089d15e5f14e5f608aa8ebad88dff9d7fd2a29d3b33e3cc46ce04d5c53b2317f04

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
351KB

MD5
c06393a490df6a2d9c3a0475e60f9bd4

SHA1
37ed7fc59b7eaa7c03545c4724e49685939adf97

SHA256
86cf629953384d57457e66df48327e454e4747096412c09198798a901d9122bc

SHA512
366d8b3fb053f9bd6a337441d2cc2dc8aff7705f83d695cc2be56676ba1d2ac1e8f9d60c5ca944d644b9290e306839ded097eaa7de9d8969057eec0e974ba8c5

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
351KB

MD5
e10aafebf16c168d0e50eaa0bd287e36

SHA1
1b9ac875efac9e736bcf61f662627d5926df41e5

SHA256
77f46051e2fff6c2491dab2682135d591654f56d5f3a001f09bb464408ac6dcf

SHA512
dba515141c968f5768c4e64b6f82ad7ee4cc237a0fb42f6bfa07c3666893e5fbae84f3eddab7d4f190ed76cb9b412f113d5dff8995767c4944eb3887d139340d

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
351KB

MD5
65b3f2e8089b211a8bbbea1d54a2f80d

SHA1
cca7794c014dd5883394753abd32b4ecbf69f95b

SHA256
0bf1738563c0636e29bd181425766b193382afe46345703c10cf18cf384ddabf

SHA512
320d6d0298918c172c38358b0a6c39f8258c12086631858b1c510bd9731bee875f81388299a303c9b01004efaf530b36e17c0c8827f8802ee939c899de702f8a

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
351KB

MD5
1a8b74bb1c5ec082348e328af1b62770

SHA1
f98c770aff2f04871caea41b2586ed20e22c77a5

SHA256
dc49f0636dd0b07cfdb3c95d12d7d8e026e3194cd67b051e218bc9cacef7bb1f

SHA512
bbe5aef799a5ecafdad06a8adf96b00bbef512966cb11b907141cabb61efdb1cfee8552610653b9723de252ea6475404814fd9ad123189639858f6a8d33d2937

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
351KB

MD5
2b1f853f5ded5aaa14ffe0af5e89dd02

SHA1
563d2f140170c776ca1b23223d50d6a66626bb86

SHA256
841ed748d606937c47cd0c1b9b898bb5c5253c378e19a684d71c5617eef79f25

SHA512
d3ce2a5532078368b3fc268cfbcaae3d03044c23c5301d3030db1b6db28a97cd541b80fd47c01b505c43fd90edbe85840c4edb56b00c9aa88809088d06a44ecc

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
351KB

MD5
55de1742e1f9af7adc20695f55205aba

SHA1
7e582d75698ab312a13b2ae702ea855191b07d00

SHA256
00067be0c1a6ec3ca13cde93ae80663234356bcbab4122959e79e5d80b2ee5d0

SHA512
5f84ed4dd1135ea96b54925134a55d6608b3584adbb7404b675bfb6cc3f60caf21b5b69d0cbaa41ed199ba33fe07e0025d394a63305cb1d1bde99094e8bcc953

Download Submit
C:\Windows\tiwi.exe

Filesize
351KB

MD5
351f16545e09ff28967782ee42654456

SHA1
870cf43acb39cf27f6c1efb6a13315789be0e43a

SHA256
7c897547da7167829369fcd8da1545b7c3532a5e0183b200656a664bcd0edc72

SHA512
dab48490eb6bfd5477af7acef189628b656cc060a24291554592dc2c0bd227b90d48455ff73305eaa586def4fa3e72b8c1437517d7af00f0ce73eeedfd7a8f52

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
351KB

MD5
153fc78877be8a0e98a44522d372826e

SHA1
ea34c04b8d8ec889c24bf15c2559325282b0b5f5

SHA256
c304ce8f07b257cb4b3abf44d610ee1817ed6b64e225fb1f8f9128dc7423ac08

SHA512
9d1813a55e3abd5e4b885342a013fc183e1a1cffea5788e646dd7063db093b0dc04176bb568d6b4b193ecab4af1904aedad9bfcd2ca31ab7e23a1e699cf8a2f8

Download Submit
C:\tiwi.exe

Filesize
351KB

MD5
a191570d22d87d5fb1bec413a941e8dd

SHA1
1109392d808cd5926cd76a34f1ebcd64d17fcc8f

SHA256
9497114dcf1853f3d2ecfa04b5b579160285967b7e564a61a8f9270e1814e51f

SHA512
018658d9ba180952569ec4de103b0de99ddacdbacf1350ae7b4aca4a188a89b4c32ef2690132e1294ff6f5529fa1ce77203ca52e460e60a6c5cee452edb55146

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
351KB

MD5
5269746546473ddd2cb9392a9d0b7076

SHA1
cdeeca0778392b2b0f1edd470b712e5d44542635

SHA256
c7a18d595cff6de5dcadd138f29dcd21aaeae9eff7e3154f66dde03ee55955d8

SHA512
685793a2a88fdbc9f688c9b5125d1d57963eb59244f71f277dd6cf6864a3c13138dbf20e78593d3a6f0120752b7d009e8b3db31e5f3371b4b0f5983a1c71e28e

Download Submit
memory/544-282-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/544-284-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/936-412-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/936-413-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/956-271-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/956-270-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/956-254-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1300-420-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1300-421-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1744-417-0x00000000033E0000-0x00000000039DF000-memory.dmp

Filesize
6.0MB

Download
memory/1744-100-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1744-262-0x00000000033E0000-0x00000000039DF000-memory.dmp

Filesize
6.0MB

Download
memory/1744-265-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1744-263-0x00000000033E0000-0x00000000039DF000-memory.dmp

Filesize
6.0MB

Download
memory/1744-416-0x00000000033E0000-0x00000000039DF000-memory.dmp

Filesize
6.0MB

Download
memory/2332-260-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2332-261-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2332-162-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2536-407-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2584-410-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2636-358-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2844-278-0x00000000032B0000-0x00000000038AF000-memory.dmp

Filesize
6.0MB

Download
memory/2844-112-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2844-433-0x00000000032B0000-0x00000000038AF000-memory.dmp

Filesize
6.0MB

Download
memory/2844-253-0x00000000032B0000-0x00000000038AF000-memory.dmp

Filesize
6.0MB

Download
memory/2844-342-0x00000000032B0000-0x00000000038AF000-memory.dmp

Filesize
6.0MB

Download
memory/2844-299-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2948-300-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2948-264-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3036-279-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/3036-207-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3036-281-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3064-208-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3064-99-0x00000000033E0000-0x00000000039DF000-memory.dmp

Filesize
6.0MB

Download
memory/3064-110-0x00000000033E0000-0x00000000039DF000-memory.dmp

Filesize
6.0MB

Download
memory/3064-277-0x00000000033E0000-0x00000000039DF000-memory.dmp

Filesize
6.0MB

Download
memory/3064-111-0x00000000033E0000-0x00000000039DF000-memory.dmp

Filesize
6.0MB

Download
memory/3064-98-0x00000000033E0000-0x00000000039DF000-memory.dmp

Filesize
6.0MB

Download
memory/3064-206-0x00000000033E0000-0x00000000039DF000-memory.dmp

Filesize
6.0MB

Download
memory/3064-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3064-323-0x00000000033E0000-0x00000000039DF000-memory.dmp

Filesize
6.0MB

Download
memory/3064-446-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download